Date: Fri, 10 Dec 2010 09:48:20 +0000 (GMT)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Exim remote root
A number of sites are reporting an exim remote root based from this
report:
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
Quoting David Woodhouse: "There are two bugs here. First a remote exploit
where the attacker somehow tricks Exim into evaluating data it shouldn't,
and honouring a ${run {/bin/sh...}} directive which ends up giving the
attacker a shell (as user 'exim').
Secondly a privilege escalation where the trusted 'exim' user is able to
tell Exim to use arbitrary config files, in which further ${run ...}
commands will be invoked as root."
https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3
The remote vulnerability is still being investigated. However it is worth
allocating the CVE names now to help with co-ordination.
CVE-2010-4344 exim vuln that allows remote code execution as 'exim'
CVE-2010-4345 exim vuln that allows privilege escalation 'exim' to root
A patch for CVE-2010-4345:
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
Thanks, Mark
--
Mark J Cox / Red Hat Security Response